| // possible deadlock in strp_sock_lock |
| // https://syzkaller.appspot.com/bug?id=3c525eb32f20839275e11b8935ad6f72d0041141 |
| // status:open |
| // autogenerated by syzkaller (https://github.com/google/syzkaller) |
| |
| #define _GNU_SOURCE |
| |
| #include <endian.h> |
| #include <stdint.h> |
| #include <stdio.h> |
| #include <stdlib.h> |
| #include <string.h> |
| #include <sys/syscall.h> |
| #include <sys/types.h> |
| #include <unistd.h> |
| |
| #define BITMASK(bf_off, bf_len) (((1ull << (bf_len)) - 1) << (bf_off)) |
| #define STORE_BY_BITMASK(type, htobe, addr, val, bf_off, bf_len) \ |
| *(type*)(addr) = \ |
| htobe((htobe(*(type*)(addr)) & ~BITMASK((bf_off), (bf_len))) | \ |
| (((type)(val) << (bf_off)) & BITMASK((bf_off), (bf_len)))) |
| |
| #ifndef __NR_bpf |
| #define __NR_bpf 321 |
| #endif |
| |
| uint64_t r[3] = {0xffffffffffffffff, 0xffffffffffffffff, 0xffffffffffffffff}; |
| |
| int main(void) |
| { |
| syscall(__NR_mmap, 0x20000000, 0x1000000, 3, 0x32, -1, 0); |
| intptr_t res = 0; |
| res = syscall(__NR_socket, 2, 1, 0); |
| if (res != -1) |
| r[0] = res; |
| *(uint16_t*)0x20e5b000 = 2; |
| *(uint16_t*)0x20e5b002 = htobe16(0x4e20); |
| *(uint32_t*)0x20e5b004 = htobe32(0xe0000001); |
| syscall(__NR_bind, r[0], 0x20e5b000, 0x10); |
| *(uint16_t*)0x20ccb000 = 2; |
| *(uint16_t*)0x20ccb002 = htobe16(0x4e20); |
| *(uint32_t*)0x20ccb004 = htobe32(0); |
| syscall(__NR_connect, r[0], 0x20ccb000, 0x10); |
| *(uint32_t*)0x20eb0fb8 = 1; |
| *(uint32_t*)0x20eb0fbc = 3; |
| *(uint64_t*)0x20eb0fc0 = 0x209ff000; |
| *(uint8_t*)0x209ff000 = 0x18; |
| STORE_BY_BITMASK(uint8_t, , 0x209ff001, 0, 0, 4); |
| STORE_BY_BITMASK(uint8_t, , 0x209ff001, 0, 4, 4); |
| *(uint16_t*)0x209ff002 = 0; |
| *(uint32_t*)0x209ff004 = 0; |
| *(uint8_t*)0x209ff008 = 0; |
| *(uint8_t*)0x209ff009 = 0; |
| *(uint16_t*)0x209ff00a = 0; |
| *(uint32_t*)0x209ff00c = 0; |
| *(uint8_t*)0x209ff010 = 0x95; |
| *(uint8_t*)0x209ff011 = 0; |
| *(uint16_t*)0x209ff012 = 0; |
| *(uint32_t*)0x209ff014 = 0; |
| *(uint64_t*)0x20eb0fc8 = 0x20000000; |
| memcpy((void*)0x20000000, "syzkaller\000", 10); |
| *(uint32_t*)0x20eb0fd0 = 4; |
| *(uint32_t*)0x20eb0fd4 = 0xb7; |
| *(uint64_t*)0x20eb0fd8 = 0x206ab000; |
| *(uint32_t*)0x20eb0fe0 = 0; |
| *(uint32_t*)0x20eb0fe4 = 0; |
| *(uint8_t*)0x20eb0fe8 = 0; |
| *(uint8_t*)0x20eb0fe9 = 0; |
| *(uint8_t*)0x20eb0fea = 0; |
| *(uint8_t*)0x20eb0feb = 0; |
| *(uint8_t*)0x20eb0fec = 0; |
| *(uint8_t*)0x20eb0fed = 0; |
| *(uint8_t*)0x20eb0fee = 0; |
| *(uint8_t*)0x20eb0fef = 0; |
| *(uint8_t*)0x20eb0ff0 = 0; |
| *(uint8_t*)0x20eb0ff1 = 0; |
| *(uint8_t*)0x20eb0ff2 = 0; |
| *(uint8_t*)0x20eb0ff3 = 0; |
| *(uint8_t*)0x20eb0ff4 = 0; |
| *(uint8_t*)0x20eb0ff5 = 0; |
| *(uint8_t*)0x20eb0ff6 = 0; |
| *(uint8_t*)0x20eb0ff7 = 0; |
| *(uint32_t*)0x20eb0ff8 = 0; |
| *(uint32_t*)0x20eb0ffc = 0; |
| *(uint32_t*)0x20eb1000 = -1; |
| *(uint32_t*)0x20eb1004 = 8; |
| *(uint64_t*)0x20eb1008 = 0x20000000; |
| *(uint32_t*)0x20000000 = 0; |
| *(uint32_t*)0x20000004 = 0; |
| *(uint32_t*)0x20eb1010 = 0; |
| *(uint32_t*)0x20eb1014 = 0x10; |
| *(uint64_t*)0x20eb1018 = 0x20000000; |
| *(uint32_t*)0x20000000 = 0; |
| *(uint32_t*)0x20000004 = 0; |
| *(uint32_t*)0x20000008 = 0; |
| *(uint32_t*)0x2000000c = 0; |
| *(uint32_t*)0x20eb1020 = 0; |
| res = syscall(__NR_bpf, 5, 0x20eb0fb8, 0x48); |
| if (res != -1) |
| r[1] = res; |
| res = syscall(__NR_socket, 0x29, 0x1000000000000005, 0); |
| if (res != -1) |
| r[2] = res; |
| *(uint32_t*)0x2031aff8 = r[0]; |
| *(uint32_t*)0x2031affc = r[1]; |
| syscall(__NR_ioctl, r[2], 0x89e0, 0x2031aff8); |
| *(uint32_t*)0x20000080 = r[0]; |
| *(uint32_t*)0x20000084 = r[1]; |
| syscall(__NR_ioctl, r[2], 0x89e0, 0x20000080); |
| return 0; |
| } |
